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Abstract. Access control is an issue of paramount importance in cyber-physical systems (CPS). In this paper, an access 
control scheme, namely FEAC, is presented for CPS. FEAC can not only provide the ability to control access to data in 
normal situations, but also adaptively assign emergency-role and permissions to specific subjects and inform subjects without 
explicit access requests to handle emergency situations in a proactive manner. In FEAC, emergency-group and emergency- 
dependency are introduced. Emergencies are processed in sequence within the group and in parallel among groups. A priority 
and dependency model called PD-AGM is used to select optimal response-action execution path aiming to eliminate all 
emergencies that occurred within the system. Fault-tolerant access control polices are used to address failure in emergency 
management. A case study of the hospital medical care application shows the effectiveness of FEAC. 

Key words: fault-tolerance, access control, cyber-physical systems, emergency management. 
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1. Introduction 

Cyber-Physical Systems (CPS) is the integration 
of computing, communication and storage capabili- 
ties with monitoring and controlling the entities in the 
physical world [ [TJ [2] [3] |4) . The emergence of such 
systems has effect on the revolution including high 
confidence medical devices and systems, assisted liv- 
ing, traffic control and safety, advanced automotive 
systems, process control, energy conservation, en- 
vironmental control, avionics, instrumentation, crit- 
ical infrastructure control, distributed robotics, de- 
fense systems, manufacturing, and smart structures [ 
S |7l El [9). The security issues are crucial for CPS 
applications because the entities within the systems 
not only interact with each other, but also with the 
physical environment, thus the security issues must be 
addressed before CPS applications could be widely 
deployed. Access control is an essential component 
of CPS security to protect sensitive resources and ser- 
vices from unauthorized access and qualify the be- 
havior of entities within the system. 

Existing access control schemes as RBAC, GR- 
BAC, CAAC [[10] El [H are traditionally provide 
access services in a passive manner, which need the 
subject explicitly require the access. The access con- 
trol polices of these schemes are statically defined be- 
fore the application deployed, and cannot be adjusted 
according to the change of system environment dy- 
namically. Especially in emergency situation, tradi- 
tional access control schemes cannot provide proper 
privileges to execute the response actions to avoid the 
failure of the system. In CPS application, physical 
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environment is an import part of the whole system, 
when making the access control decisions, the envi- 
ronment context and the whole system context (not 
only the context of access subject, but also the object 
context and system states) must be taken into account. 

In this paper, a new access control scheme called 
FEAC (Fault-tolerant Emergency-aware Access Con- 
trol) is proposed, which provides a proactive and 
adaptive access control polices especially to address 
multiple emergencies management problem and sup- 
poses the fault-tolerant scheme for CPS applications. 
PD-AGM (Priority and Dependency-Action Genera- 
tion Model) is introduced to select the optimal re- 
sponse action path for eliminating all the active emer- 
gencies within the system, reference the methods in [ 
[131 and [[14). The priority and dependency relation- 
ships of emergencies are used to exclude the infeasi- 
ble response action paths and relieve the emergencies 
combination state explosion problem. In order to han- 
dle all the emergencies timely, emergency-group and 
emergency-role are introduced for parallelly process- 
ing multiple emergencies. 

The remainder of this paper is organized as fol- 
lows. Section [2] introduces related work. Section [3] 
presents the primary concepts of emergency manage- 
ment. Section [4]presents the FEAC scheme including 
PD-Action Generation Model and access control pol- 
icy. Section[5]gives the validation proof of the system 
model. Section[6]presents a case study to demonstrate 
the access control scheme. Section [7] concludes the 
paper. 
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2. Related Work 

With the growth of pervasive computing tech- 
nologies, researchers pay increasing attention to a 
new area named CPS. Security is one of the most im- 
portant problems that must be addressed in CPS ap- 
plications [Q3] fl6l . Much work has been done with 
respect to access control for pervasive computing sys- 
tems and other systems, which is a primary compo- 
nent of system security. 

Role Based Access Control (RBAC) [[17) is one 
of the most influential schemes for authorized access 
information. Within an organization, roles are cre- 
ated for various job functions. The permissions to per- 
form certain operations are assigned to specific roles 
without directly associated with subjects. RBAC pro- 
vides an effective and easy way to enforce complex 
access control policies. Different from RBAC, Con- 
text Based Access Control (CBAC) [ QJD avoids the 
notion of roles and directly associates permissions to 
the subjects by the context information. Usage Con- 
trol (UCON) [[19] l20ll combines the notions of access 
control, trust management and digital rights manage- 
ment to provide fine-grained access control to un- 
known subjects. None of these schemes have the abil- 
ity of privacy preservation when the system under 
emergency situations. The access control polices runs 
in a reactive manner and the explicit access require 
from subjects is needed. The access control policies 
of RBAC are static in nature and predefined before 
deployment. Though UCON and CBAC have the abil- 
ity to change the permissions available to subjects, 
they only consider the change of the subject context, 
which is too simplistic for CPS to manage the emer- 
gency situations. 

The Policy Spaces (PS) model [ 21] provides 
adaptive emergency management. It divides polices 
into groups and provides access privilege for spe- 
cific situations. However, the PS works in reactive 
manner in nature and cannot control the emergencies 
within the system timely. Criticality-Oriented Access 
Control (COAC) [ [22 firstly introduces the notion 
of altering access control privileges to enable emer- 
gency management for smart-spaces. The alternate 
idea is to promote the role of specific subjects in the 
space to execute response actions in a limited dura- 
tion. COAC can only control the systems with single 
emergency. Criticality aware Access control (CAAC) 
[[23] 1241 expands the COAC scheme with a stochas- 
tic modeling framework for evaluating the manage- 
ment of multiple emergencies in smart-spaces. The 
stochastic modeling framework provides a mecha- 
nism for determining the response actions or deal- 
ing with the stochastic nature of emergencies. CAAC 



scheme presents a more proactive and adaptive man- 
ner than other schemes. 

Although the existing schemes play important 
roles to guarantee the security requirement of CPS 
applications in various degrees, designing a proactive 
and adaptive access control is still a challenging is- 
sue in CPS. In this paper, a new access control es- 
pecially to address the emergency management prob- 
lem and fault-tolerant problem for CPS applications 
is proposed based on other relevant schemes. The ma- 
jor differences between this work and the aforemen- 
tioned schemes are as follows: 

(1) PD-AGM model is introduced to select the 
optimal response action path for eliminating emer- 
gencies. The priority and dependency relationships 
of emergencies are used to exclude the infeasible re- 
sponse action paths and relieve the emergency com- 
bination state explosion problem. 

(2) The Influence-factor is employed to precisely 
represent the influence between emergencies in the 
group, which can help to generate the optimal re- 
sponse action path. One emergency can influence 
other emergencies in terms of the emergency-duration, 
the probability of success and the execution time for 
specific response actions. 

(3) To guarantee the emergencies be processed 
timely, the emergency-group and emergency-role are 
adopted for parallelly processing the emergencies 
within the system. Emergencies are grouped by the 
entity they belong to. The emergencies in different 
groups are parallelly processed, while the emergen- 
cies in the group are processed in sequence. 

(4) Role-mapping and constraints are proposed 
for selecting proper subjects to execute specific re- 
sponse actions. A hierarchical role structure is used 
for selecting the most suitable subject. 

(5) Fault-tolerant scheme is proposed for protect- 
ing the normal running of the system by proactive al- 
ternating permissions and services to substitute enti- 
ties after the failure of emergency management. 

3. Preliminaries 

In this section, we introduce some of the prin- 
cipal concepts of emergency management used in 
FEAC. 

3.1. Emergency 

Emergency is defined as the effect of series of 
events in physical world [[25), which can cause the 
system goes into unstable states. These events are 
called emergency events. The time duration for exe- 
cuting some operations to restoring the system back 
to normal state is called emergency-duration (Ed), 
and the corresponding operations are called response 
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actions for specific emergency within the system [ 
l26ll . In medical emergency, the time duration is called 
golden-hour, during which the prompt medical treat- 
ment can save life. If the emergency-duration has ex- 
pired, the system will fail and cause the loss of prop- 
erty and even life. 

3.2. Emergency Management 

Emergency management is designed to control 
all the active emergencies that occur in the system, 
to protect the sensitive information and to limit the 
actions of the entities under emergency situations. 
Emergency management enables response actions to 
eliminate the active emergencies to avoid system fail- 
ures in a proactive manner. Emergency management 
for single emergency includes three phases which are 
shown in Figure Q] Detection and Preparation, Re- 
sponse, and Post-process. In the Detection and Prepa- 
ration phase, the emergency is detected in a timely 
manner in order to save time for executing the re- 
sponse actions. The response action path is selected 
after the detection of the emergency. Then in the Re- 
sponse phase, the responses actions are performed 
to eliminate the active emergencies. Emergency-role 
and permissions for executing response actions are 
assigned to the selected subjects. Finally in the Post- 
process phase, the response actions are evaluated, and 
the properties of the emergency may be updated if 
necessary. The response action path and the selection 
of the response actions might be changed for the next 
execution. 

In CPS, multiple emergencies may occur at one 
time. Unlike single emergency management, multiple 
emergencies management is more complex: 

(1) The system not only needs to track the exe- 
cution of the emergencies already existing, but also 
needs to detect the occurrence of new emergencies. 

(2) Multiple emergencies that occurred on the 
same entity must be processed in sequence, and only 
one emergency could be processed at one time. The 
schedule for the process of multiple emergencies 
should be considered. 

(3) The execution sequence is influenced by the 
dependency relationships between different emergen- 
cies. Emergency-dependency exists between emer- 
gencies that occurred on the same entity, and also be- 
tween emergencies that occurred on different entities. 

(4) Parallel process of multiple emergencies is 
crucial for the performance of the emergency man- 
agement. 

3.3. Emergency-group and Emergency-dependency 

According to the entity the emergency belongs 
to, multiple emergencies are divided into different 
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Fig. 1. Single Emergency Management 



groups, named emergency-group. The emergencies 
in different groups can be parallelly processed. In 
FEAC, a specific environment emergency-group is 
defined to specify the emergencies caused by the en- 
vironment. The environment emergency affects other 
emergencies in various ways. The affected emergen- 
cies can be processed only when the environment 
emergency is eliminated. Fire in the intensive care 
unit (ICU) is an example of environment emergency. 
In this context, other rescue actions for patients can 
be deployed only when the fire under control. 

Emergency-dependency is first introduced in this 
paper. Emergency-dependency can reduce the states 
of action generation model. In FEAC, the following 
five kinds of dependency relationship are considered. 

Definition 1. Entity-dependency. Emergencies are 
divided into different emergency-groups according to 
the entity each emergency belongs to. 

Definition 2. Time-dependency. This dependency 
relationship indicates the processing sequence be- 
tween the emergencies within an emergency-group. 

Definition 3. Environment-dependency. This is a 
special dependency property of CPS applications. 
In CPS, the computing system interacts with phys- 
ical environment. Consequently, environment emer- 
gency affects other entity emergencies. The depen- 
dency relationship between entity emergencies and 
the environment emergency is called environment- 
dependency. 

Definition 4. Resource-dependency. The resource- 
dependency relationship indicates the competition 
of certain resource. The emergencies in different 
emergency-groups may have resource-dependency 
relationship. 

Definition 5. Subject-dependency. Some of the re- 
sponse actions with respect to different emergencies 
need the same subject to perform. One subject cannot 
perform multiple response actions at one time. 
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Fig. 2. Illustration of FEAC 
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To avoid dependency deadlock circle within a 
group, we assign priorities to different emergencies, 
and assume the time-dependency may exist only from 
the emergency with higher priority to that with lower 
priority. Thus the dependency deadlock circle can 
be broken. The time-dependency affects the execu- 
tion sequence in the group. The entity-dependency 
determines the emergency-group of the emergencies 
within the system. The last three dependencies exist 
between groups, and affect parallel process of emer- 
gencies. Subject-dependency conflict can be solved 
by reselecting subjects for the emergencies. 

4. Fault-tolerant Emergency-aware Access Con- 
trol 

Figure [2] depicts the schematic diagram of the 
FEAC scheme for CPS applications. FEAC runs un- 
der the normal state, emergency state and fault- 
tolerant state. The transition happens with the di- 
rection of arrow. When the emergency event occurs, 
the system moves from normal state to emergency 
state. When no emergency is active, the state moves 
back to normal state. The failure in finding the opti- 
mal response path in emergency management brings 
the system to fault-tolerant state. If the failure is ad- 
dressed successfully, the system turns back to emer- 
gency state and continues emergency processing; oth- 
erwise, the system goes to disaster state and disables 
all services. 

The constitution of FEAC structure is described 
in Figure [3] The lower layer is the data layer, which 
provides the data information for decision entity to 
generate the access control decisions. The original 
data include subjects (S), objects (O), permissions 
(P), roles (R) and constraints (C) in core RBAC 
Additional data include context and constraint. Up- 
per parts in data layer are abstract data and dynamic 
data. ACMD (Access Control Meta-Data) abstracts 
the relations between subjects, roles and correspond- 



ing permissions, and provides meta-data for other 
units. CMU (Constraints Management Unit) provides 
access control constraints for both normal state and 
emergency state. DCMU (Dynamic Context Manage- 
ment Unit) processes the context data that are col- 
lected in the lower parts and provides higher level 
contextual information for the components of deci- 
sion layer. In decision layer, EMU (Emergency Man- 
agement Unit) and FTU (Fault-Tolerant Unit) utilize 
the data information provided by data layer, and in- 
teract with RMU to handle the emergencies that oc- 
cur within the system and generate appropriate ac- 
cess control permissions. AMU (Account Manage- 
ment Unit) records all the action events of the sys- 
tem. ACPM (Access Control Policy Management) 
performs the access control. 

Initially, the administrator of the system estab- 
lishes the set of roles, permissions and constraints 
when the FEAC is deployed. Under normal state, the 
permissions in the objects' ACLs are used to make 
access decisions. If necessary, entries are dynami- 
cally added into the ACL according to the constraints 
and contexts of subjects and objects. When the sys- 
tem is in emergency state, FEAC uses PD-AGM to 
evaluate the characteristics of the emergencies, select 
the optimal response action path and response actions 
and proactively activate the permissions. The selected 
subjects are proactively informed to access the system 
with the permissions assigned to the emergency-role. 

4.1. Emergency Management in FEAC 

The emergency management structure is shown 
in Figure |4] ACMI (Access Control Meta-data Inter- 
preter) and CCI (Constraint and Context Interpreter) 
are the interfaces of meta-data, constraints and con- 
texts information in data layer. Emergency event is 
first detected by EDU (Emergency Detection Unit), 
and then EPDU (Emergency Property Determination 
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Unit) determines the properties, such as Ed and TS 
(Task set) of the emergency. Most of the operations 
are performed by EPU (Emergency Process Unit), 
which uses the data information and emergency prop- 
erties to schedule emergencies and execute the re- 
sponse actions. The principal component of EPU is 
PD-AGM, which is responsible for generating the op- 
timal response action path and the response action for 
the emergency. EPU interacts with other system com- 
ponents through EMIU (Emergency Management In- 
teraction Unit). ENU (Emergency Notification Unit) 
informs the selected subjects of the permissions they 
have been assigned. Each permission is associated 
with a time duration to restrict the time period that 
the subject can process the emergency. 

4.1.1. PD- Action Generation Model 

Action Generation Model (AGM) is first introduced 
in [ [27). It is an effective way to determine the re- 
sponse actions for emergencies. In AGM, Response 
Links (RL) represents the transitions that make the 
system restore to the normal state. Stochastic crisis 
planning technique developed in [ 28 1 is used in AGM 
to model all the possible emergency states. Due to the 
diversity of the emergency combinations, the state ex- 
plosion problem remains an open issue. 

PD-AGM is an extension of AGM and FDs[|29), 
which uses priority and emergency dependency for 
response action path generation. PD-AGM can reduce 
the number of emergency states of the system and re- 
lieve state explosion problem. Figure 5 illustrates the 
generation of the emergency state transition graph. 
The solid line and the longer dotted line distinguish 
the priority hierarchy and dependency hierarchy. The 
shorter dotted line makes a distinction between dif- 
ferent priorities in the dependency hierarchy. If the 
emergencies have the same priority, the model uses 
stochastic method to generate all the possible com- 



binations. Each edge (RL) is associated with time, 
TS, Ed and execution time of specific emergency. The 
algorithm for state transition is described in Algo- 
rithm [T] 

Algorithm 1 Emergency state transition graph generation 
Input: 

Group of emergencies g; 
Output: 

Root node of emergency states transition graph t 
1: Sorted the emergencies in group g by priority 
2: for all emergency priority hierarchy do 
3: Put dependency emergencies into the depen- 
dency hierarchy 
4: Remove them from corresponding priority hi- 
erarchy 

5: while dependency hierarchy is not Null do 
6: Put dependency emergencies into higher hi- 
erarchy 

7: Remove them from corresponding priority 

hierarchy 
8: end while 
9: end for 

10: for all priority-dependency hierarchy do 
1 1 : Sort the emergencies by priority 
12: end for 

13: Set the root node t of the emergency states 

14: for all sorted priority hierarchy do 

15: Randomly generate state transition path, and 

add it to the graph t 
16: Calculate and set the edge properties as Ed and 

execute time 
17: Set the tail node of this hierarchy. 
18: end for 

19: Set the tail node as normal state and return the 
root node t 



4.1.2. RL path and Response Actions 

The choice of the optimal RL path and response ac- 
tions for the group of emergencies is crucial for the 
emergency management. TS presents the set of re- 
sponse actions which are used to mitigate the emer- 
gency, denoted as < {ax, a-i, a^}, t,p >, where k 
is the number of sub-actions, t is the execution time 
of the set of response actions and p is the probabil- 
ity of successful execution of the response actions. In 
this paper, we select TS that has the highest proba- 
bility of success and associate it with the correspond- 
ing RL from the set of TSs. The RL is denoted as 
< Eid, TS, Ed >, where Eid is the identity of the 
emergency to be processed and Ed is the Emergency 
duration for executing the set of response actions in 
TS. Only when all groups of emergencies have been 



6 



G.W. Wu, D.Z. Lu, F. Xia, L. Yao 




eliminated, the system is considered to recover back 
to normal state. The TS is affected by the probability 
p and the available resources. We choose the TS with 
the highest probability in the executable set of TSs. 

The choice of RL depends on its P-value. The 
definition of the P-value is as follows: 

Definition 6. P-value. P-value is defined as the total 
probability of successful recovery to the normal state 
from current emergency state. 

The P-value Pv(i) of current node i is calcu- 
lated by ([D in a recursive manner: 

!0 any Ed expired 

1 normal state 

maxj = i k{p(h j) ■ Pv(j)) childhood node 

(1) 

Here p(i,j) is the probability of reaching emer- 
gency state j from state i. If the result of the P-value 
on root node is not equal to zero, the path with the 
largest P-value will be chosen as the optimal re- 
sponse path. If more than one path has the same P- 
value, the path with the shortest execution time will 
be chosen. If the P-value is equal to zero, it indicates 
that all the RLs cannot meet the time requirement of 
emergency duration. Fault-tolerance is used to over- 
come this problem by choosing substitution entity. 
After fault-tolerance is performed, two heuristic se- 
lection algorithms are used to minimize the lose of 
property and life: one algorithm chooses the RL with 
the maximum probability of successful transition to 
normal state and the other chooses the RL with the 
minimum execution time as the optimal response ac- 
tion path. 

The emergencies are not independent in the 
group, and they interact with each other. The Influ- 



ence Factor a is used to represent the influence be- 
tween the emergencies. The corresponding definition 
is as follows: 

Definition 7. Influence Factor a. Influence factor is 
used to abstract the influence on the emergency by 
other active emergencies in the group. Three proper- 
ties are affected by a: priority, execution time and Ed, 
which can be calculated with the following equations: 

p' Tl = (1 - &) Pji (2) 

t' 3i = (1 + a ■ a)tji (3) 

Ed' }i = (1 - ■ a)Edn (4) 

where a and j3 are the coefficients for execution 
time and emergency duration respectively. 

4.2. Fault-tolerance in FEAC 

The fault-tolerance module always runs in a pas- 
sive manner when the system crashed. In our scheme, 
it executes in a proactive way by predicting failure 
of the system. As mentioned above, when the P- 
value is 0, it is implied that the emergency man- 
agement fails to eliminate all the active emergencies 
in the emergency-group. After the mitigation actions 
have been processed, the system goes to disaster state. 
FEAC employs another hierarchy to protect the sys- 
tem using a fault-tolerant method. 

Figure [6] gives an example of exchanging clus- 
ter head node of wireless sensor network in order 
to tolerate the damage of the cluster head node. The 
scheme selects the proper node instead of the previ- 
ous one, adds the entities in previous ACL to the sub- 
stitute node's ACL and assigns the roles of previous 
one to the substitute one. The concrete algorithm for 
achieving fault tolerance is illustrated in Algorithm[2] 
The algorithm checks whether the entity could toler- 
ate faults. When the result is false, and if there does 
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not exist any substitute entity, the system moves to 
disaster state and fails; otherwise, a substitute entity 
will be activated to continue performing the jobs in- 
stead of the original entity. The substitute entity is se- 
lected from the EFGT (Entity Function Group Table), 
which has the same function with the entity encoun- 
tering the fault. 



Algorithm 2 Fault-tolerance algorithm 
Input: 

entity e that needs to tolerate the fault; 
l: if the property that indicates feasibility of fault- 
tolerance is false then 
2: exits and moves to Disaster state 
3: else if se — findSubEntity(e) is Null then 
4: return exits and moves to Disaster state 
5: else 

6: if getACL(e) is not Null then 
7: for all entries in the ACL do 
8: Add it to the ACL of se 

9: Inform the subject that has activated the 

role of the entity for the exchange of per- 
missions 
10: end for 
it: end if 

12: if getRole(e) is not Null then 

13: Add the roles to the ASRT (Active Subject 

Role Table) of se 
14: Inform se of the permissions associated 
15: end if 
16: end if 



4.3. FEAC Policy Specification 

4.3.1. Emergency-role and Subject Selection 

In FEAC, emergency-role is temporarily designated 
to execute response actions which are not allowed to 
operate by normal-role. In emergency state, the sub- 
ject can be associated with only one emergency-role 
because one subject can process only one emergency 
at a time; otherwise, the time waiting for the subject 
to finish performing the response actions will delay 
the process of other emergencies, potentially causing 
the emergencies uncontrollable. In addition, associat- 
ing one subject with just one emergency-role is con- 
venient for parallel process of the emergencies. The 
minimum permissions are assigned to the emergency- 
role in order to prevent damage from the execution of 
malicious entities. 

The method of emergency -role and role-constraint 
mapping is used to hierarchically select the most 
suitable subjects to execute the response actions. 
In emergency-role mapping, each emergency-role is 



mapped to normal-roles (one to many), and thus a hi- 
erarchy structure is formed. The subjects of normal- 
roles in the higher hierarchy are more suitable than 
the ones in lower hierarchy as the subjects to execute 
response actions. The constraints of the normal-role 
in the emergency-role mapping are used to guarantee 
the correctness of the subject selection, such as the 
distance between the subject location, the place where 
the emergency occurred, the number of the subjects 
that can be associated with the emergency-role and 
the properties of subject (experience, licenses and cer- 
tificates). 

4.3.2. Enabling Response Actions 

When the response actions and subjects have been se- 
lected, the next stage is to enable the permissions for 
the subjects to execute the response actions, to notify 
the subjects and to rescind the permissions when nec- 
essary. It includes four steps: 

( 1 ) According to the RL and the selected response 
actions, assign the corresponding permissions to the 
emergency-role. The Ed of the emergency is associ- 
ated with the permissions to limit the execution time 
for the subjects to execute the response actions. 

(2) Proactively alternate the emergency-role to 
the selected subjects, and record the normal-roles for 
recovery. 

(3) Inform the chosen subjects to use the permis- 
sions to execute the response actions for eliminating 
the emergency. 

(4) Rescind the assigned permissions after the 
emergency has been solved or the Ed has expired. 

4.3.3. Policy Implementation 

Given the system structure of FEAC, this subsection 
will describe the principal components of the access 
control model and the policy implementation. TableQ] 
shows the set of the components in the access control 
model, such as the notion of role, subject, object, per- 
mission, ACL, emergency and constraint. Table|2]lists 
the table components of the access control model. 
SRT and ASRT store the roles that can be allocated 
and activated for subjects. TDT and EDT are the ta- 
bles of time-dpendency and environment-dpendency. 
RMT and RCT are used to select the most appropriate 
subjects to execute the response actions. The original 
roles of the subject are stored in the ORT, and will 
be reassigned when necessary. The entities have the 
same function are grouped in EFGT. 

Algorithm [3] illustrates the execution model of 
FEAC, which works in a loop manner to mon- 
itor the transition of system state. The function 
check SysStateQ checks the system state and re- 
turns the current system state. If a change is de- 
tected, then the system rescinds the pervious permis- 
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Table 1. Set Components of Access Control Model 



Algorithm 3 FEAC execution model 

selSubject <- NULL 
M ode <— Normal 
cur State N 
while true do 

t <— checkSysStateQ 
if t ^ cur State then 
if t = N then 

Mode Normal 
else 

Mode «— Emergency 
end if 

RescPerm <— (i ® cur State) 
cur State <— i 
end if 

if Mode — Emergency then 
for all emergency Group do 

if hasNewEmry(egid) ^ NULL then 

pt> -s— getPvalue(egid) 
if jro = Af[/LL then 
faultTolerance(egid) 
Mprob ^ 1 then 

probFirstSel(egid) 
else 

timeFirstSel(egid) 
end if 
else 

optimalSel(egid) 
end if 
end if 
end for 

curEmy <— findEmy(t) 
if curEmy ^ NULL then 
for all c £ curEmy do 
er emyRole(c) 
selSubject roleMapSel(er) 
if selSubject = NULL then 

selSubject «— roleConsSel(er) 
end if 

if selSubject ^ ATC/LX then 
TS <- getTS(c) 
addACL(er,TS) 
alter Role(sel Sub ject, er) 
informSub(selSubject, TS, er) 
end if 
end for 
recorcL4d:() 
end if 
end if 

end while 



Sets 



ouDject ) 


S = set of{< Sid, Pt >}, where 
Pt is the properties of the subjects, 

Sid — unique < string > 


Object (U) 


O = set of{< Oid,ACL >}, 
where Oid = unique < string > 
and ACL is the access control list 


Role (R) 


Q AT E? 1 1 TP E? ivYtara AT T? 

o — iv it m ej tx, wnere i\ tx 
and ER are both set of {< 
role >}, present the normal-role 
and emergency-role respectively 


Permission (P) 


P = set of{< Oid,op,td >}, 
where td is the time duration limited 
the use of permission 


Access Control 
List (ACL) 


ACT, — let off<^ r ti ~>\ where 

r e R,p e P 


Emergency (E) 


E - set of{< 
Eid,TSs,Ed,Pro,e >}, where 
Eid = uniqur < string > 
, TSs = set of{< TS >}, Pro 
is the priority, and e is the entity on 
which the emergency happens 


Constraint (C) 


C = set of< constraint > 


Table 2. Table Components of Access Control 
Model 


Tables 


Subject Role Ta- 
ble (SRT) 


SRT = set of{< s, rs >}, where 
s £ S, Vr £ rs, r £ R 


Active Subject 
Role Table 
(ASRT) 


ASRT = set of{< s,rs >}, 
where ASRT C SRT 


Time Depen- 
dency Table 
(TDT) 


TDT = set of{< Eidi,Eid 2 > 
}, where emergency with Eid\ exe- 
cutes before the one with Eid^ 


Environment 
Dependency 
Table (EDT) 


EDT = set of {< e,Eid >}, 
entity e dependents on the environ- 
ment emergency with Eid 


Role Mapping 
Table (RMT) 


RMT = set of{< er,X,cr >}, 
where Mg £ X, g £ NR, cr £ C 


Role Constraint 
Table (RCT) 


RCT = set of{< er, c >}, where 
er € ER, c£C 


Old Role Table 
(ORT) 


ORT = set of{< s, rs >}, where 
s £ S, rs C ASRT 


Entity Function 
Group Table 
(EFGT) 


EFGT = set of {< e,FGid > 
}, where FGid = unique < 
string > 



sions and sets the appropriate system state. When 
the system is in emergency state, the system decides 
whether to use fault-tolerance according to the P- 
value. Functions probFristSelQ, timeFirstSel() 
and optimalSelQ are chosen in different situation. 
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Function findEmyQ finds out the set of emer- 
gencies that need to be processed. For each of the 
emergencies in the set, the subject to execute re- 
sponse actions is selected by function roleMapSelQ 
and roleConsSelQ using RMT and RCT respec- 
tively. Once the subjects have been selected, the sys- 
tem assigns the corresponding permissions to the 
emergency-role and informs the subject to use the 
permissions. All the actions are recorded to ensure 
any malicious activity can be detected. After these ac- 
tions, the system waits for tp duration of time, and 
repeats the whole process. 

5. Validation of FEAC 

FEAC should work in a proactive and adap- 
tive manner in order to provide the right set of 
permissions to the right set of subjects at right 
time. In this section, we prove that the FEAC model 
can meet the following properties/requirements: re- 
sponsiveness, correctness, security, liveness and non- 
repudiation. 

Theorem 1. Responsiveness. FEAC ensures that 
once an emergency occurs, the system will detect it 
in time, assigns proper permissions, and informs the 
selected subjects. 

Proof. The FEAC model periodically detects the 
emergencies as shown in Algorithm[3]on line 5. After 
waiting for tp duration of time, the system calls the 
function checkSysStateQ to get current state and 
compares it with the previous one in order to detect 
new emergency and change in system state. Lines 35 
through 44 are used for subject selection, permission 
association and subject notification. The role of the 
subject is alternated by function altherRoleQ and 
the permissions are added into the ACL by function 
addACLQ. □ 

Theorem 2. Correctness. Emergency- role can be 
designated and the response actions can be executed 
if and only if the system is under emergency state. Dif- 
ferent path selection algorithms are processed in cor- 
responding situations. 

Proof. If the system is under emergency state, the 
system mode changes to emergency mode, and the 
value returned from function findEmyQ is not 
empty. Then the codes after line 33 in Algorithm [3] 
will be executed. The emergency-role will be desig- 
nated and be assigned to the selected subject, then 
the response actions will be performed. On the other 
hand, if the emergency-role is designated, it means 
that the condition is true and the system is in emer- 
gency state. In this case, if the P-value is not 0, the 



optimal Sel() algorithm (line 28) is selected. Other- 
wise, according to the value of prob, maximum prob- 
ability path (line 23) or minimum execution time path 
(line 25) is selected respectively. □ 

Theorem 3. Security. The permissions assigned to 
execute the response actions can only be used in 
emergency mode. Fault-tolerance can only be pro- 
cessed when emergency management fails. 

Proof. When the system moves from emergency 
mode to normal mode, the function rescPermQ will 
be executed. The permissions and the subject's role 
will also be rescinded. The permissions for execut- 
ing the response actions can never be used in nor- 
mal state. When the P-value is (line 20), function 
f aultT oleranceQ is called. □ 

Theorem 4. Liveness. The time duration of the ac- 
cess permissions are limited and the system must have 
the ability to rescind the permissions when the emer- 
gency is eliminated or the Ed is expired. 

Proof. When the system state goes back to normal 
state, the access permissions are rescinded. On lines 
8 and 12 in Algorithm [3] the change of system state 
is detected, then on line 12 the permissions are re- 
scinded to satisfy security requirements. □ 

Theorem 5. Non-Repudiation. Malicious actions 
performed in emergency situations are restricted and 
the subject cannot be repudiated. 

Proof. The permissions for executing the response 
actions are limited by the Ed of emergency. On line 
47 in Algorithm|3] the recordActQ function records 
all the actions performed in the system, such as the as- 
signment of emergency-role and permissions, the ex- 
ecution of the response actions and the notification of 
the selected subjects. Once the malicious actions oc- 
cur, the system will record them into the log files. □ 

6. Case Study 

In this section, we present an example to illus- 
trate how FEAC can be used for CPS applications. 
The case of hospital medical care shows the ability of 
FEAC to handle multiple emergencies in emergency 
situations. The emergencies which occurred in hospi- 
tal medical care application are shown in Table[3] El 
and E2 are environment emergencies. E3 to Eh are 
emergencies that occurred on patient 1 . E6 and E7 
are emergencies that occurred on patient 2. Figure [7] 
shows the PD-AGM for the hospital medical care ap- 
plication. The generation of the emergency state tran- 
sition graph uses the dependency relationships and in- 
fluence factor in Figure|7] To simplify calculation, the 
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Table 3. Emergencies in hospital medical care 



ID 


Emergency 


prio 


Ed 


Task-Set (TS) 


Exec. Time 


prob 


El 


Fire 


3 


20 min 


{< ICU Door, < u >>, < FireExtinguisher, < u >>} 


3 min 


0.8 


E2 


Dust and Smoke 


4 


10 min 


{< Ventilation fan, < u >>, < ICU Door, < u >>} 


2 min 


0.85 


E3 


Cardiac Arrest 


6 


8 min 


{< PlHealthData, < r&zw >>, < Defibrillator!, < u » 

*< J J J D ni-yr> s' 11 . , I. 

, s juu lyooi , <^ a 


1 min 


0.8 


E4 


Headache 


9 


30 min 


{< PlHealthData, < r&ui >>, < Medicine Room Door, < 
u >>, < ICU Door, < u >>} 


1 min 


0.9 


E5 


Fever 


9 


20 min 


{< PlHealthData, < r&ui >>, < Medicine Room Door, < 
it >>, < ICU Door, < u >>} 


2 min 


0.95 


E6 


Arrhythmia 


7 


18 min 


{< PlHealthData, < r&ui >>,< Electrocardiographic 
u >>, < ICU Door, < u >>} 


2 min 


0.85 


E7 


Angina Cordis 


8 


12 min 


{< P2HealthData, < rhw >>, < ICU Door, < u >>} 


1 min 


0.9 





0.85,2,18 



0.765,1.15,10.2 



Influence Factor 



Dependency 



Emergency State Transition Graph 



a 


1 


2 




11.2! 


0.3 


0.5 












a 


3 


4 


5 


{4.5) 




0.2 


0.2 


(3,4,5) 




0.3 


0.3 










a 


6 


7 




16.7« 


0.2 


0.15 













Time Dependency 


6 


7 


Environment Dpendency 


PI 


1 


P2 


1 


P2 





Role Mapping 



Subject Role and Context 



Entity Function Group 



ER 


NR 


Cons. 


Role Cons. 


El 


All 


hospital, no 




E2 


All 


hospital,l 




E3 
E4 
E5 


PI DIC 


idle 
watch room 


a medical qualification 
hospital 


Doctor 


Nurse 


E6 
E7 


P2 DIC 


idle 
watch room 


a medical qualification 
hospital 


Doctor 


Nurse 



Subject ID 


Role 


Old Role 


Context 


ID1 


E2 


PI DIC, Doctor 


busy, ICU 


ID2 


E3 


P2 DIC, Doctor 


busy, ICU 


ID3 


E6 


Nurse 


busy, ICU 


ID4 


Doctor 




idle, hospital 


ID5 


PI 




E3, E4, E5, ICU 


ID6 


P2 




E6, E7, ICU 



Entity ID 


Entity Name 


Function 
Group ID 


ID7 


Defibrillator 1 


FG1 


ID8 


Defibrillator 2 


FG1 


ID9 


Electrocardiograph 1 


FG2 


ID10 


Electrocardiograph 2 


FG2 









Fig. 7. PD-AGM for hospital medical care 



values of a and /3 are set to 1 . The dependency be- 
tween entity PI and emergency El is environment 
dependency. Environment dependency also exists be- 
tween entity P2 and PI, as well as entity P2 and E2. 
The emergencies in the emergency-groups of PI and 
P2 must wait the accomplishment of the correspond- 
ing environment emergencies. Notice that, the two 
path of state {4, 5} have the same P-value of 0.684, 
and the corresponding execution time are 3.4min and 
3.2min respectively. Then the right RL path is se- 
lected. 

The principal components of the FEAC for the 
hospital medical care application are shown in Fig- 
ure [7] All the normal-roles map to the emergency- 
roles PI and P2. Constraints for selecting subjects 
include the position limitation and the number of exe- 
cution. The role-constraints are used when no subject 



has been selected. The original roles of the subject 
are recorded, and reassigned when the response ac- 
tions have been executed. The entries in ACL of the 
objects influence the access control decisions for the 
access request of specific subject. 

7. Conclusion 

In this paper, a fault-tolerant emergency-aware 
access control scheme called FEAC has been pre- 
sented, which provides proactive and adaptive ac- 
cess control polices to address the multiple emergen- 
cies management problem and fault-tolerance prob- 
lem for CPS applications. The PD-AGM model is in- 
troduced to select the optimal response action path 
for eliminating all the active emergencies. The prior- 
ity and dependency relationships of emergencies are 
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used to exclude the infeasible response action paths 
and relieve the emergency combination state explo- 
sion problem. In order to handle all the emergencies 
timely, emergency-group and emergency-role are in- 
troduced for processing multiple emergencies in par- 
allel. FEAC can meet responsiveness, correctness, se- 
curity, liveness and non-repudiation requirements. A 
case study of hospital medical care application has il- 
lustrated the effectiveness of FEAC. 
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